honeywall roo 2
TRANSCRIPT
Sebek Tools
• Two sets of sample incident data (and your own data from your class honeynets): – 1 from Mexican honeypot (192.168.100.28) example.pcap.gz
– 1 from UK honeypot (82.68.40.145) 20040319/*.gz
45
Honeysnap
• Command-‐line tool for parsing single or mul?ple pcap data files
• Outputs a 'first-‐cut' analysis report to iden?fy poten?ally significant events
• Typically run off-‐line in batch mode, perhaps as a nightly email report
• Just need to provide it with the IP address of the honeypot / node of interest
49
Honeysnap (Cont.)
• Packet and connec?on overview • Simple flow extrac?on (ASCII based) • Common protocol decoding • Binary file transfer extrac?on • Flow summary of in/outbound connec?ons • Keystroke extrac?on of Sebek v2/v3 data • Iden?fica?on and analysis of IRC traffic, • including keyword matching
50
Honeysnap Install in Honeywall • hips://projects.honeynet.org/honeysnap/wiki/WikiStart
• Install pypcap: rpm –ivh pcap-‐1.1-‐1.i386.rpm
• Install honeysnap : – $ tar xvzf honeysnap-‐1.0.6 – $ cd honeysnap-‐1.0.6 – $ sudo python setup.py install
58
Honeysnap Instruc?ons: • 解析Honeywall Pcap封包: – honeysnap -‐c honeynet.cfg example.pcap
• basic informa?on: – honeysnap -‐H192.168.100.28 example.pcap
• 解析特定Protocol並將資料寫到檔案 – honeysnap –H192.168.100.28 -‐-‐do-‐hip -‐f /home/roo/analysis/results.txt example.pcap
• 完整解析產生報告 – honeysnap -‐H192.168.100.28 -‐-‐do-‐outgoing -‐-‐do-‐irc -‐-‐do-‐lp -‐-‐do-‐sebek -‐-‐do-‐hip -‐-‐do-‐outgoing -‐o /home/roo/analysis -‐f /home/roo/analysis/results.txt example.pcap
59